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IN THE CLAIMS 

1 1 . [ALLOWED] A method for securely communicating packets between a first 

2 computer device and a second computer device through a packet-switched data 

3 transmission network comprising intermediate computer devices, where at least one of 

4 said intermediate computer devices may perform a network address translation or a 

5 protocol conversion resulting in alteration of a packet propagating therethrough, the 

6 method comprising the steps of 

7 - determining what network address translations or protocol conversions, if any, 

8 occur on packets transmitted in a data path between said first computer device 

9 and the said second computer device on packets transmitted between said first 

I 0 computer device and said second computer device, 

II - if it is found that network address translations or protocol conversions occur in 
1 2 said data path between said first computer device and said a second computer 

1 3 device, taking packets conforming to a first protocol and using said first computer 

1 4 device to encapsulate them into packets conforming to a second protocol, which 

1 5 said second protocol being capable of traversing network address translations 

1 6 and protocol conversions, 

1 7 - transmitting said packets conforming to said second protocol from said first 

1 8 computer device to said second computer device; and 

1 9 - decapsulating said transmitted packets conforming to said second protocol into 

2 0 packets conforming to said first protocol. 

1 2. [ALLOWED] A method according to claim 1, wherein the step of taking 

2 packets conforming to a first protocol and encapsulating them into packets conforming to 
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3 a second protocol comprises the substeps of 

4 - taking packets conforming to the Internet Protocol, 

5 - processing said packets according to the IPSEC protocol suite and 

6 - encapsulating the processed packets into packets conforming to the User 

7 Datagram Protocol. 

1 3. [ALLOWED] A method according to claim 1 , wherein the step of taking 

2 packets conforming to a first protocol and encapsulating them into packets conforming to 

3 a second protocol comprises the substeps of 

4 - taking packets conforming to the Internet Protocol, 

5 - processing said packets according to the IPSEC protocol suite and 

6 - encapsulating the processed packets into packets conforming to the 

7 Transmission Control Protocol. 

1 4. [ALLOWED] A method according to claim 1 , further comprising the step of 

2 compensating for the network address translations on said second protocol in the 

3 packets that are transmitted from said first computer device to said second computer 

4 device. 

1 5. [ALLOWED] A method according to claim 4, wherein said step of 

2 compensating for said network address translations comprises a step of performing 

3 address translation based on the information obtained in the step of determining what 

4 network address translations, if any, occur on packets transmitted between said first 

5 computer device and said second computer device. 
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1 6. [ALLOWED] A method according to claim 5, wherein said step of 

2 compensating for said network address translations further comprises a step of 

3 performing port number translation based on the information obtained in the step of 

4 determining what network address translations, if any, occur on packets transmitted 

5 between said first computer device and said second computer device. 

1 7. [ALLOWED] A method according to claim 1 , additionally comprising the step of 

2 periodically transmitting keepalive packets between said first computer device and said 

3 second computer device to ensure that said network address translations, if any, 

4 occurring on packets transmitted between said first computer device and said second 

5 computer device stay the same. 

1 8. [ALLOWED] A method for conditionally setting up a secure communication 

2 connection between a first computer device and a second computer device through a 

3 packet-switched data transmission network including intermediate computer devices, 

4 where at least one of said computer devices performs a network address translation or 

5 a protocol conversion or both a protocol conversion and a network address translation, 

6 the method comprising the steps of 

7 - finding out, whether or not said second computer device supports a 

8 communication method where: 

9 it is determined what network address translations or and/or 
1 0 protocol conversions or both, if any, occur on packets transmitted 

1 1 between said first computer device and said second computer device; 

12 if it is found that network address translations or protocol 

1 3 conversions occur on packets transmitted between said first computer 
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1 4 device and said second computer device, packets are taken that conform 

15 to a first protocol and encapsulated into packets that conform to a second 

1 6 protocol, which second protocol is capable of traversing network address 

1 7 translations and/or protocol conversions; 

1 8 said packets conforming to said second protocol are transmitted 

1 9 from said first computer device to said second computer device; 

2 0 and said transmitted packets conforming to said second protocol 
2 1 are decapsulated into packets conforming to said first protocol, 

2 2 - as a response to a finding indicating that the second computer device supports 

2 3 said communication method, setting up a secure communication connection 

2 4 between said first computer device and said second computer device in which 

2 5 communication connection said communication method is employed and 

2 6 - as a response to a finding indicating that said second computer device does not 

2 7 support said communication method, disabling use of said communication method 

2 8 between said first and said second computer devices. 

1 9. [ALLOWED] A method for tunnelling packets between a first computer device 

2 and a second computer device through a packet-switched data transmission network 

3 comprising intermediate computer devices, where at least one of said computer devices 

4 performs a network address translation and/or a protocol conversion, the method 

5 comprising the steps of 

6 - establishing a bidirectional tunnelling mode between said first computer device 

7 and said second computer device by exchanging packets conforming to a secure 

8 communication protocol, 

9 - determining if one or more network address translations and/or protocol 
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1 0 conversions occur on packets travelling from said first computer to said second 

1 1 computer, and if so, taking packets conforming to a first protocol and 

1 2 encapsulating them at said first computer device into packets conforming to a 

1 3 second protocol, which second protocol is capable of traversing network 

1 4 address translations, 

1 5 - transmitting said packets conforming to said second protocol from said first 

1 6 computer device to said second computer device, 

1 7 - decapsulating said transmitted packets conforming to said second protocol into 

1 8 packets conforming to said first protocol at the second computer device, 

1 9 - obtaining information about the address translations occurred on packets 

2 0 transmitted between said first computer device and said second computer device 
21 and 

2 2 - using said obtained information to modify the established bidirectional tunnelling 

2 3 mode between said first computer device and said second computer device. 

1 10. [ALLOWED] A method according to claim 9, wherein the step of obtaining 

2 information about the address translations occurred on packets transmitted between said 

3 first computer device and said second computer device comprises the substeps of 

4 - transmitting a packet between said first computer device and said second 

5 computer device, said packet comprising a header part and a payload part, and 

6 - comparing a network address transmitted in said payload part to a network 

7 address transmitted in said header part in order to find out what changes have 

8 occurred on said network address transmitted in said header part. 



1 11. [ALLOWED] A method according to claim 9, additionally comprising the step of 
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2 periodically transmitting keepalive packets between said first computer device and said 

3 second computer device to ensure that network address translations, if any, occurring 

4 on packets transmitted between said first computer device and said second computer 

5 device stay the same. 

1 12. [ALLOWED] A method according to claim 9, wherein the step of using said 

2 obtained information to modify the operation of the tunnelling of packets comprises the 

3 substep of introducing an address translation before the encapsulation of packets in 

4 order to compensate for the network address translations that occur on packets 

5 transmitted between said first computer device and said second computer device. 

1 1 3. [ALLOWED] A method according to claim 9, wherein the step of using said 

2 obtained information to modify the operation of the tunnelling of packets comprises the 

3 substep of introducing an address translation after the decapsulation of packets in order 

4 to compensate for the network address translations that occur on packets transmitted 

5 between said first computer device and said second computer device. 

1 14. [CANCELLED] 

2 

1 15. [CANCELLED] 

1 16. [ALLOWED] A method for securely communicating packets between a first 

2 computer device and a second computer device through a packet-switched data 

3 transmission network including intermediate computer devices, where at least one of 

4 said computer devices performs a network address translation and/or a protocol 
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5 conversion and where a security protocol exists comprising a key management 

6 connection, the method comprising the steps of 

7 - a method for determining what network address translations, if any, occur on 

8 packets transmitted between said first computer device and said second 

9 computer device: 

1 0 establishing a key management connection according to said 

1 1 security protocol between said first computer device and said second 

1 2 computer device; 

1 3 composing an indicator packet with a header part and a payload 

1 4 part of which both comprise the network addresses of said first computer 

1 5 device and said second computer device as seen by the node composing 

1 6 said packet; 

1 7 transmitting and receiving said indicator packet within said key 

1 8 management connection; and 

1 9 comparing in the received indicator packet the addresses 

2 0 contained in said header part and said payload part, and 

2 1 - using the information concerning the determined occurrences of network 

2 2 address translations for securely communicating packets between the said first 

2 3 computer device and said second computer device. 

1 17. [ALLOWED] A method according to claim 16, wherein the security protocol 

2 determines a standard port number for a key management connection, and the method 

3 further comprises the step of comparing in the received indicator packet a source port 

4 number against said standard port number for a key management connection. 
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1 18. [CANCELLED] 

2 

1 19. [CANCELLED] 

1 20. [CANCELLED] 

1 21. [CANCELLED] 

1 22. [CANCELLED] 

1 23. [CANCELLED] 

1 24. [ALLOWED] A method for securely communicating packets between a first 

2 computer device and a second computer device through a packet-switched data 

3 transmission network comprising intermediate computer devices, where at least one of 

4 said intermediate computer devices may perform a network address translation and/or a 

5 protocol conversion resulting in alteration of a packet propagating therethrough, the 

6 method comprising the steps of 

7 - determining what network address translations or protocol conversions, 

8 if any, occur on packets transmitted in a data path between said first computer 

9 device and said second computer device on packets transmitted between said 

I 0 first computer device and said second computer device, 

II - if it is found that network address translations and/or protocol 

1 2 conversions occur in said data path between said first computer device and said 

1 3 a second computer device, taking packets conforming to a first protocol and using 
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1 4 said first computer device to encapsulate them into packets conforming to a 

1 5 second protocol, said second protocol being capable of traversing network 

1 6 address translations and protocol conversions, 

1 7 - transmitting said packets conforming to said second protocol from said 

1 8 first computer device to said second computer device. 

1 25. [ALLOWED] The method of claim 24 further comprising the step of 

2 determining if said second computer device supports a secure data communication 

3 protocol prior to performing said step of determining what, if any, network address 

4 translations and/or protocol conversions are occurring in communications between said 

5 first computer device and said second computer device. 

1 26. [ALLOWED] The method of claim 24 wherein the step of determining what, if 

2 any, network address translations or protocol conversions are occurring in 

3 communications between said first computer device and said second computer device is 

4 accomplished by: 

5 sending at least one IKE Phase 2 Quick Mode message packet from said 

6 first computer device to said second computer device including in its private 

7 payload section IP addresses for an initator and responder as seen by said first 

8 computer device, where one of said first and second computer devices is said 

9 initiator and the other of said first and second computer devices is said 
1 0 responder; and 

1 1 receiving at least one IKE Phase 2 Quick Mode message packet from said 

1 2 second computer device which was sent by said first computer device and 

1 3 including in its private payload section IP addresses for said initator and said 
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1 4 responder as seen by said second computer device; and 

1 5 in said first computer device, comparing said IP addresses in said 

1 6 header(s) of said at least one IKE Phase 2 Quick Mode message packet(s) 

1 7 received from said second computer device to said IP addresses in said private 

1 8 payload section, and, if there is a difference, concluding that a network address 

1 9 translation or a protocol conversion or both have occurred on the data path 

2 0 between said first computer device and said second computer device. 

1 27. [ALLOWED] The process of claim 26 further comprising the step of 

2 periodically transmitting keepalive packets from said first computer device to said second 

3 computer device if it is determined that NAT or protocol conversions or both are 

4 occurring with the interval between said keepalive packets being set to insure that 

5 mappings of said NAT or protocol conversions or both stay the same. 

1 28. [ALLOWED] The method of claim 24 wherein the step of determining what, if 

2 any, port translations are occurring in communications between said first computer 

3 device and said second computer device is accomplished by comparing the port number 

4 in a packet header for a packet of a protocol that can withstand port translations and 

5 which encapsulates an IKE protocol packet sent from said second computer device to 

6 said first computer device, and if said port number is not a port number associated with 

7 the IKE protocol, concluding that one or more port translations is occurring on a data path 

8 between said second computer device and said first computer device. 

1 29. [CANCELLED] 
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1 30. [ALLOWED] A method for conditionally setting up a secure communication 

2 connection and communicating data between a first computer device and a second 

3 computer device through a packet-switched data transmission network including 

4 intermediate computer devices, where at least one of said computer devices performs a 

5 network address translation or a protocol conversion or both a protocol conversion and 

6 a network address translation, the method comprising the steps of: 

7 carrying out a negotiation between said first and second computer devices to 

8 determine if said second computer device supports a secure communication protocol 

9 which is incompatible with network address translations or protocol conversions or both; 
10 as a response to a finding indicating that the second computer device supports 

1 1 said secure communication protocol, setting up a secure communication connection 

1 2 between said first computer device and said second computer device in which 

1 3 communication connection said secure communication protocol is employed; 

14 as a response to a finding indicating that said second computer device does not 

1 5 support said secure communication protocol, disabling use of said secure communication 

1 6 protocol between said first and said second computer devices; 

17 if it is found that said second computer device supports said secure 

1 8 communication protocol, determining what network address translations or protocol 

1 9 conversions or both, if any, occur on packets transmitted between said first computer 

2 0 device and said second computer device; 

21 if it is found that network address translations or protocol conversions occur on 

2 2 packets transmitted between said first computer device and said second computer 

2 3 device, taking packets that conform to said secure communication protocol and 

2 4 encapsulating them into packets that conform to a second protocol, which second 

2 5 protocol is capable of traversing network address translations or protocol conversions, 
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2 6 or both without violating said second protocol; 

2 7 if it is found that network address translations or protocol conversions occur on 

2 8 packets transmitted between said first computer device and said second computer 

2 9 device, periodically transmitting keepalive packets from said first computer device to said 

3 0 second computer device with the interval between said keepalive packets being set to 
3 1 insure that mappings of said NAT or protocol conversions or both stay the same; 

3 2 transmitting said packets conforming to said second protocol from said first 

3 3 computer device to said second computer device. 

34 

1 31 . [ALLOWED] The method of claim 30 wherein said secure communication 

2 protocol is the IPsec protocol, and said second protocol is either the TCP or UDP protocol. 

1 32. [ALLOWED] The method of claim 30 wherein said step of determining if said 

2 second computer device supports a secure communication protocol includes the step of 

3 finding out whether said second computer supports the IPsec protocol, and wherein said 

4 step of determining what network address translations or protocol conversions or both, 

5 if any, occur on packets transmitted between said first computer device and said second 

6 computer device comprises the steps: 

7 sending at least one IKE Phase 2 Quick Mode message packet from said 

8 first computer device to said second computer device including in its private 

9 payload section IP addresses for an initator and responder as seen by said first 
1 0 computer device, where one of said first and second computer devices is said 

1 1 initiator and the other of said first and second computer devices is said 

1 2 responder; and 
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1 3 receiving at least one IKE Phase 2 Quick Mode message packet from said 

1 4 second computer device which was sent by said first computer device and 

1 5 including in its private payload section IP addresses for said initator and said 

1 6 responder as seen by said second computer device; and 

1 7 in said first computer device, comparing said IP addresses in said 

1 8 header(s) of said at least one IKE Phase 2 Quick Mode message packet(s) 

1 9 received from said second computer device to said IP addresses in said private 

2 0 payload section, and, if there is a difference, concluding that a network address 
2 1 translation or a protocol conversion or both have occurred on the data path 

2 2 between said first computer device and said second computer device. 

1 33. [ALLOWED] The method of claim 30 wherein the step of determining what, if 

2 any, port translations are occurring in communications between said first computer 

3 device and said second computer device is accomplished by comparing the port number 

4 in a packet header for a packet of a protocol that can withstand port translations and 

5 which encapsulates an IKE protocol packet sent from said second computer device to 

6 said first computer device, and if said port number is not a port number associated with 

7 the IKE protocol, concluding that one or more port translations is occurring on a data path 

8 between said second computer device and said first computer device. 
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